In its Framework Volume, COSO said, “Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is how information is disseminated throughout the orga­nization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant exter­nal information, and it provides information to external parties in response to require­ments and expectations.”

However, as with the other components of the COSO Cube, the objective of Information and Communication is not to be taken in a vacuum. Indeed, one of the more interesting aspects of this objective is that it runs not only vertically but also horizontally. Rittenberg says that this objective “is not a one-way street: information needs to be generated at operational levels and communicated across and up the organization to enhance decision-making.” Moreover, he believes this means that while it may be the responsibility of more senior managers to have the requirement to develop, create and implement policies and procedures; they have to be communicated downward in the organization and there should be feedback back up the organization regarding this process. Finally, as Rittenberg continues, “information and communication must be fully integrated with the other components of the Framework, most especially those of monitoring and risk assessment.”

I. Objective IV-Information and Communication

The objective of Information and Communication consists of three principles. They are:

Principle 13 – “The organization obtains (or generates) and uses relevant, quality information to support the functioning of internal control.”

Principle 14 – “The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.”

Principle 15 – “The organization communicates with external parties regarding matters affecting the functioning of internal control.”

A White Paper, entitled “The Updated COSO Internal Control Framework”, emphasized the inter-related nature of the five objectives and that the 17 Principles are readily adaptable to compliance. I think they are more than simply adaptable as they provide a clear road map for the CCO or compliance practitioner on how to set up the right compliance controls. Finally, I believe that the SEC will measure your company’s internal controls against each of these 17 Principles and if you cannot map your internal controls to them and provide audit evidence, you may well in FCPA hot water.

Principle 13 – Use of relevant and quality information

The Framework Volume makes clear that this Principle relates to ‘relevant’ information and not simply reams and reams of data for data’s sake. Rittenberg said this Principle requires that “Relevant, timely and quality information needs to be assessed by management and others to help identify” several areas within a company. For the CCO or compliance practitioner this means that you need to identify relevant data, which can include both internal and external data. The hard part is to move that data to actionable information. Rittenberg also suggests that you need to consider the characteristics of the information and “whether or not such information is being used correctly and timely.” The Framework Volume goes on to detail several categories of both internal and external information which can be a good starting point to be used as sources from which management can generate “useful information to relevant internal controls.”

Principle 14 – Communications Internally

This is the Principle that brings the up and down and indeed horizontal action required for Information and Communication. Rittenberg notes it relates to how information is communicated internally but adds “it is equally important that such information be communicated to those with responsibilities over operation and compliance objectives, as well as reporting objectives.” Finally, he cautions that entities should assess whether there are any “gaps in the communication process”.

Therefore, under this Principle you will need to determine several different things from the compliance perspective. Does the Board communicate in a downward mechanism that gets its relevant instructions to the CCO or compliance function? Does the CCO or compliance function communicate upwards with the Board? Note that this Principle clearly reinforces an access component for the compliance function. But it also specifies the horizontal communication that I referred to above to ascertain that policies and procedures are effectively spread throughout an organization.

Principle 15 – Communications Externally

This Principle requires that a company communicate with relevant external parties. Rittenberg provides an excellent CCO or compliance practitioner example when he cites to the need for companies to communicate with third parties about relevant Codes of Conduct or similar documents, which might apply to them. He also pointed to the example of information about a hotline that could be provided to a third party to report any compliance related issues. But more than a company sharing its relevant compliance information with contracted third parties, whether they be on the sales side or in the supply chain, this Principle recognizes “that outside parties can provide information to management on the effectiveness of internal controls…and regulatory communication.”

II. Discussion

Obviously there must be communications lines up and down from the Board but also within an organization for dissemination of the appropriate compliance related information. For this Principle, the CCO or compliance practitioner should also evaluate the communication lines to third parties. This communication can flow both ways, as noted, with compliance obligations to third parties but also information in the form of compliance issues back from third parties.

Information and Communication requires a wide range of information to go up and down the corporate chain. The article “3 Challenging Principles in COSO’s Framework: A Closer Look at Principles 2, 4 and 13” relates that “People who understand the objectives, risks and controls of the information flows necessary for accounting transactions and the preparation of financial statements are critical both on the side of management and the external auditor.” This may require reliance on those with technical skills far greater than management can bring to bear. Additionally, “organizations may want to consider creating an inventory of information requirements (both from internal and external sources), maintaining written data flow processes, implementing robust controls over spreadsheets, maintaining sound data repositories and instituting a data governance program.  A data governance program will go a long way toward establishing and communicating the necessary pillars for [Information and Communication], including roles and responsibilities.” Fortunately for the CCO or compliance professional there is “no single recipe” for success so you can bring a wide range of talents, skills and imagination to bear on this objective.

Howell noted that “communication internally is how you establish the communications with your sales organization, with your sales operations? How do you establish communications with the legal organization? How do you establish information with the post-sales organizations? Even with the auditors, and your internal auditors and your external auditors and the board, to give the audit committee of the board comfort that the company has put in place the right levels of controls.

A final point on communications externally. In the compliance realm, your external communications fall towards your third parties because that is your greatest risk for bribery and corruption. Your third parties are either part of your sales side of the organization in the form of agents, distributors, resellers, et cetera, or on the supply chain side who are delivering a product yet, as part of the supply chain, they are helping you create and build your product or integrate into your service that you’re going to deliver, that you’re going to sell, that is going to be subject to review. 

Three Key Takeaways

  1. This Object is about the use of relevant and quality information.
  2. You need to document your internal communications so auditors can review the audit trail.
  3. In compliance, this Objective will relate to your third party compliance program.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

We take things a different way in this episode as the commentators throw out five topics for consideration by the group. Last week we had topics from Jay and Matt; this week from Jonathan and Tom.

Topics from Jonathan:

  1. The right to be forgotten in the EU;
  1. Big data and compliance-the EU regulators wrap anti-trust issues into data privacy;
  1. A wrap up for the 6 years since the Bribery Act came into existence; and
  1. The troubling inclination of UK regulators to engage in burden shifting in anti-bribery cases.

Topics from Tom:

  1. In view of Trump’s abysmal performance at the G-20, will other countries ramp up anti-corruption enforcement?
  1. Will the new book by Jesse Eisinger The Chickenshit Club make any difference?
  1. Three months ago the SFO appeared to be in trouble. Now it is leading the anti-corruption charge. Tying into Q1 above, will we see more aggressive enforcement out of the UK?
  1. Now that compliance has become inculcated into the business process of most energy companies, with the attendant benefits, will there a pull back on the business side of things.
  1. Can a new comer really win the AL? What does the panel see in the second half of the season?

In its Framework Volume, COSO Control Activities “are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and busi­ness performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, manage­ment selects and develops alternative control activities.” The concept of a ‘second set of eyes’ is directly enshrined in this objective. Finally, Control Activities should be performed at all levels in the business process cycle within an organization and this speaks directly to the operationalization of your compliance program.

I. Objective III: Control Activities

The objective of Control Activities consists of three principles. They are:

Principle 10 – “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.”

Principle 11 – “The organization selects and develops general control activities over technology to support the achievement of the objectives.”

Principle 12 – “The organization deploys control activities through policies that establish what is expected and procedures to put policies into action.”

A White Paper, entitled “The Updated COSO Internal Control Framework”, emphasized the inter-related nature of the five objectives when it noted “The risk assessment driven by the company’s management provides a context for designing the Control Activities necessary to reduce risks to an acceptable level (Principles 10, 11 and 12). Note that Principle 10 deals with the selection and development of control activities that mitigate risk to the achievement of compliance objectives, and Principle 12 deals with the development of control activities through established policies and procedures. Principle 11 addresses the impact of controls over general technology to the extent they impact the achievement of control activities.”

A.        Principle 10 – Selects and Develops Controls Activities

Rittenberg noted that there is no “silver bullet” in selecting the right internal controls. Yet when combined with your risk assessment, this Principle would point to an integration of your policies, procedures and overall corporate responsibilities, which should be chosen “sufficiently to reduce the risk of not achieving the objectives to an acceptable level.” You should consider your relevant business processes, evaluate your mix of control activities and then consider at what levels within your organization they are applied. But Rittenberg cautions that you should not “begin an analysis of control activities with a list of controls and check off whether they are present or not present. Rather, controls should be assessed in relationship to the risk being mitigated.”

B.        Principle 11 – Selects and Develops General Controls over Technology

The Framework Volume recognizes the dependency between the use of technology in business processes and compliance control. The use of technology will only be greater and more important going forward. I would certainly expect the SEC to focus on a company’s use of technology in any evaluation of its overall compliance program. Therefore, under this Principle you will need to determine not only the use of technology in your compliance related internal controls but also the use of such technology in your overall company business process. To do so, you will need to consider your technology infrastructure, around compliance internal controls, security management of the same and then use this information to move forward to obtain and implement the most appropriate technology around your compliance internal controls.

C.        Principle 12 – Control Activities established through policies and procedures

This Principle should be the most familiar one to the compliance practitioner as it points to the establishment of policies and procedures to support deployment of your compliance regime. It also sets out the responsibility and accountability for executing policies and procedures, specifies and assures corrective action as required and mandates periodic reassessment. Interestingly it also directs that there be competent personnel in place to do so. Rittenberg noted, “Responsibilities for control activities should be identified through policies and various procedures. Processes should be in place to ensure that all aspects are implemented and working.”

While the objective of Control Activities should be the most familiar to the CCO or compliance practitioner, this objective demonstrates the inter-relatedness of all the five COSO Objectives. It is your Control Environment and then Risk Assessment that should lead you to this point. It is the Control Activities objective that lays the groundwork for a living, breathing compliance program going forward.

II. Discussion

This Objective demonstrates the inter-relatedness of the corporate functions in your organization. From a financial reporting perspective, the Control Activities objectives requires that you put in place accounting processes, revenue recognition tools, contract management systems and other accounting tool sets, software to manage your process. This easily translates into the compliance realm as well. This puts you into the entire whole technology issue and portends an enormous amount of information provided by entity.

Howell explained in the financial realm, “if you’re dealing with the cost to acquire contracts, you may well have all of the contract information in your accounting systems but you have never before had to go get that commission information and some of these other COSO elements.” Such data will be scattered literally across the globe, so you need to have the controls over both the accumulation and the attestation required that that is the right set of data. This is in many ways more challenging, and it is the difference between pulling a band aid off all at once or pulling it off slowly.

This requires two separate processes, so you need to be able to reconcile those two and to get the auditors and yourselves comfortable with the controls over the accumulation and the reporting of that information. This process will typically require a lot of changes to IT systems, the technologies involved and it requires that the controls be in place both for the disclosures that you need to make for the reconciliation of that disclosure.

This Objective requires that you have new ways of capturing that information, gathering that information, confirming the accuracy and completeness of the controls reporting it. When selecs the control activities, what control activities do you need if you are using disparate accounting systems in different locations across the globe? Moreover, if you getting into the general controls over technology, what are the system controls are in place to ascertain that the new information that you’re getting is the information you really need and it’s what you think you’re getting? The Control Activities regarding the policies and procedures is certainly an important consideration going forward.

Three Key Takeaways

  1. Think of a second set of eyes as a primary control activity.
  2. Segregation of duties must always be employed.
  3. Control Activities should be performed at all levels in the business process cycle within an organization and this speaks directly to the operationalization of your compliance program.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

In this episode, Matt Kelly and I take a deep dive into the Dodd-Frank and Sarbanes-Oxley reform initiatives in the House of Representatives and as articulated by incoming SEC Chairman Jay Clayton. For more see Matt Kelly’s blog post SEC Chair Clayton Talks Compliance Costs.

The Integrated Framework (Framework Volume) recognizes that “every entity faces a variety of risks from external and internal sources.” This objective is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner none of this will sound new or even insightful, however the COSO Framework requires a component of management input and oversight that was perhaps not as well understood. The Framework Volume says that “Management specifies objectives within the category relating to operations, reporting and compliance with such clarity to be able to identify and analyze risks to those objectives.” But management’s role continues throughout the process as it must consider both internal and external changes which can effect or change risk “that may render internal controls ineffective.” This final requirement is also important for any anti-corruption compliance internal control. Changes are coming quite quickly in the realm of anti-corruption laws and their enforcement. Management needs to be cognizant of these changes and changes that its business model may make in the delivery of goods or services which could increase risk of running afoul of these laws.

Objective-Risk Assessments

The objective of Risk Assessment consists of four principles. They are:

Principle 6 – “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.”

Principle 7 – “The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.”

Principle 8 – “The organization considers the potential for fraud in assessment risks to the achievement of objectives.”

Principle 9 – “The organization identifies and assesses changes that could significantly impact the system of internal control.”

 Principle 6 – Suitable Objectives 

Your risk analysis should always relate to stated objectives. As noted in the Framework Volume, it is management who is responsible for setting the objectives. Rittenberg explained, “Too often, an organization starts with a list of risks instead of considering what objectives are threatened by the risk, and then what control activities or other actions it needs to take.” In other words your objectives should form the basis on which your risk assessments are approached.

Principle 7 – Identifies and Analyzes Risk 

Risk identification should be an ongoing process. While it should begin at senior management, Rittenberg believes that even though a risk assessment may originate at the top of an organization or even in an operating function, “the key is that an overall process exists to determine how risks are identified and managed across the entity.” You need to avoid siloed risks at all costs. The Framework Volume cautions that “Risk identification must be comprehensive.”

Principle 8 – Fraud Risk 

Every compliance practitioner should understand that fraud exists in every organization. Moreover, the monies that must be generated to pay bribes can come from what may be characterized as traditional fraud schemes, such as employee expense account fraud, fraudulent third party contracting and payments and even fraudulent over-charging and pocketing of the differences in sales price. This means that it should be considered as an important risk analysis. It is important that any company follow the flow of money and if the Fraud Triangle is present, management be placed around such risk.

Principle 9 – Identifies and Analyzes Significant Change

It really is true that if there is one constant in business, it is that there will always be change. The Framework Volume states, “every entity will require a process to identify and assess those internal and external factors that significantly affect its ability to achieve its objectives.” Rittenberg intones that companies “should have a formal process to identify significant changes, both internal and external, and assess the risks and approaches to mitigate the risk” in a timely manner.

Discussion

The SEC has made it clear that companies should be expanding their view of risk in implementing the COSO 2013 Framework. Obviously risk assessments are a cornerstone of a best practices compliance program as laid out in the 2012 FCPA Guidance and in the DOJ’s Evaluatoin of Corporate Compliance Programs, issued in February 2017.  The regulators are telling companies specifically that they should be seeing new risks that they need address because of the changes brought about by the new standard.

Howell noted that “in the internal control arena, fraud risk in particular is something that has been keen interest because of the opportunity to mask fraud through the judgments made in recognizing revenue, no matter what the revenue recognition standard.” He went on to add other risks that companies should be considering in their risk assessments; “One risk is a company’s business practices do not relate to the accounting that they are providing right now because the business practices are changing and internally the company is not recognizing that the business practices are changing.”

Another example is that sales folks are giving concessions to customers that are not being reflected in their understanding of the contract and the accounting for the contract.” Howell went on to add might be other activities that are going on to acquire contracts that aren’t being properly accounted for or even recognized at some level. That the concessions are being given at the backend for return that aren’t being reported back into the process of how does that affect the estimate of cheap revenue going forward.

Finally, risks that a company has misstated or underestimated, require a determine if revenue should be recognized over a period of time or estimated what that period of time is to recognize the revenue if it is a rolling time frame Howell stated, “For example, the period of time could be longer which means that your revenue would recognized over a longer period of time. There’s always the risks that revenue could be recognized too early and that cost could be pushed out and spread over too long of a period of time. As we begin to think about these new judgments that are required, you get into this entirely new level of judgment and risk related to the judgment that the companies need to identify and build both preventative controls and detective controls, and have a plan to respond if they discover that the risk has actually happened and they have a failure.”

Three Key Takeaways

  1. Risk assessments are required under the COSO Framework, the 2012 FCPA Guidance and almost all other best practices compliance programs.
  2. Look at your risks across your organization and not in a siloed manner.
  3. Risks, their determination and their management changes over time so be cognizant of changes in business practices on the ground.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.